Vulnerability
BackWeb Polite Agent Protocol
Affected
BackWeb client using the Polite Agent Protocol
Description
Followung is based on ISS Security Advisory. They discovered a
vulnerability in the BackWeb Polite Agent Protocol that allows a
user on a local network on which BackWeb clients operate to spoof
a BackWeb server. Hardware and software vendors often include
BackWeb software in their distribution to facilitate remote
distribution of software updates.
The BackWeb Polite Agent Protocol is a UDP-based protocol that
BackWeb clients use to communicate with BackWeb servers. BackWeb's
"anti-spoofing mechanism" for delivery of UDP data to the client
and server is the exchange of a 32-bit integer, randomly generated
by the client each time it requests data from the server. This
integer is appended to each packet of a specific piece of BackWeb
data (InfoPak). By examining these packets in transport, an
attacker may send false data to a BackWeb client, acting as the
real BackWeb server. BackWeb uses a sequencing method to maintain
packet data integrity. Any attacker who can examine a local
network can determine the 32-bit integer and sequence numbers. A
race condition exists where the attacker may deliver a false
response to the client 'match request,' which is the first packet
delivered by the client to determine whether or not the server
should send data to it. If this spoofed response reaches the
client before the real BackWeb server responds, the attacker may
continuously write realistic-looking BackWeb packets to the
network in response to the client request. These packets may
direct the client to update files on its drive, execute programs,
or display messages on the client screen. While client security
settings may not be changed, other client settings such as
displayed data may be changed. Depending on the client security
settings, an attacker may send executable files to be executed on
the client machine. By default, BackWeb's security settings
disable automatic execution of downloaded files.
Solution
Until a suitable security mechanism is made available by the
vendor, ISS recommends upgrading to BackWeb 5.0, which supports
VeriSign digital certificates for enhanced security. BackWeb
strongly recommends that customers do not enable automatic
execution of downloaded files when using software prior to version
5.0 unless other security mechanisms are implemented separate
from the BackWeb system. Customers using BackWeb client version
5.0 and above can enable automatic execution of files that will
only automatically execute a file after verifying that the file is
digitally signed and that the signing certificate is approved.